Force Rsync Command via SSH but Allow Any Directory

Recently, I needed to sync several directories on a backup / fail-over server with the same directories on a production server. Rsync over SSH takes care of this, but if you want to tighten security, you must use the “command” restriction in the SSH authorized_keys file — This restricts the authenticated key to running a single command, with a specific set of arguments. For example, let’s look at a typical command that might be run from a backup server to rsync daily database dumps:

backup$ rsync -av --delete -e "ssh -i $HOME/.ssh/prod-rsync-key" \
    prod:/var/lib/mysql/dump/ /var/lib/mysql/dump/

Continue reading